Securing the Mainframe: How Companies can Empower Security Analysts to Protect the Backbone of Their Enterprise
Despite two decades of predicted obsolescence, the mainframe continues to be relied upon by major organizations to run their core business applications with executives recognizing the mainframe as a platform for growth. This makes sense, considering how scalable and reliable the platform is for transactional processing and handling most organizations’ most vital user and financial data.
Yet, despite its importance to IT architecture, the mainframe is often neglected by the chief information security officer (CISO), who labels the platform “legacy” and chooses to instead prioritize limited security resources for use on the more familiar Windows- and Linux-based computers. Endpoint protection platforms (EPPs) and endpoint detection and response (EDR) solutions are considered baseline security for a Windows laptops, but this software is often critically lacking on the mainframe, which leaves a tremendous security gap. Analysts in the security operations centers (SOC) simply lack the tools and training to successfully monitor and defend this critical component.
To apply true holistic security best practices and reduce significant risks to the mainframe, security teams must embrace an integrated mainframe security strategy. This is imperative because:
The Threat is Real
The mainframe has historically been well-defended through its obscurity and prohibitive cost. Now, thanks to emulation and the deep pockets of advanced persistent threats (APTs), offensive security researchers are able to test platforms and identify once-obscure vulnerabilities, which makes it imperative that an enterprise security strategy extends EDR to all platforms, including the mainframe.
Technology can Amplify Human Resources
The most cyber-conscious organizations lean on security solutions to empower individual analysts to accomplish the work of many. EDR solutions can accelerate incident responses through the development of automated user-action timelines that tell analysts what triggered the alert, allowing them to rapidly discern whether a threat needs to be escalated or is a false positive. Without automation, an analyst must sort through the collected data and logs before determining if an incident was malicious. Outdated, legacy technology that relies on manual labor to dig through logs is not sufficient in these scenarios and leads to alert fatigue, which allows critical events to go unnoticed.
Most mainframe teams use system management facilities (SMF) to store and manage all mainframe messages. Originally built for accounting, SMF lacks the specificity required to detect or analyze malicious activity and is rarely connected to a real-time security information and event management (SIEM) system, which severely delays response time.
As these teams struggle to gain compliance with the onslaught of new regulations, many simply “check the boxes” to pass the next audit instead of integrating a solution into the large security plan. This leads to situations where they “store all failed logins” to meet a regulatory requirement, but it’s in a data lake that’s inaccessible to the security team. They’re technically compliant, but the data will sit unused and fail to provide actionable intelligence.
Incorporating the mainframe into your enterprise security architecture with EDR protection not only helps you meet compliance requirements but also enhanced the overall SOC capability—and allows analysts to focus on high-level tasks while the enriched data is sorted and analyzed automatically.
Practice Could Make the Difference Between a Catastrophic Impact or an Instant Recovery
Once an organization feels confident in its security solutions’ bandwidth and efficacy, the next step is testing its defensive posture. Cyber simulations can help defend a network and reveal how well an organization’s monitoring capabilities can detect and alert analysts to indicators of compromise. This feedback enables the security team to make incremental improvements based on the outcome from the exercise and prepares them for a real emergency threat.
When designing the simulation, organizations should test the communication and processes between the mainframe team and the SOC. Security analysts rarely have mainframe experience, which can cause critical alerts to be overlooked in favor of better-understood benign issues on the other platforms. By conducting a cohesive exercise that spans the breadth of the enterprise, analysts can test these linkages and highlight any gaps the organization may have.
At the end of the day, the mainframe is nothing more than another computer on the network. Every chief information officer (CIO) with a mainframe realizes their business would likely fail to operate if those mainframes were inoperable. When it comes to securing the platform, the simplest solution of applying intelligent security software like EDR and testing its effectiveness—the security best practice that exists on all other systems—is often the best and offers reassurance for every autonomous digital enterprise.